From cbb21cca098f9063b0ff5548b2c73ab517f55ea5 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Sat, 30 Mar 2013 01:40:11 -0400
Subject: [PATCH] execute: convert secure bits into mask properly

C.f. http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5975c725dfd6f7d36f493ab1453fbdbd35c1f0e3
---
 src/core/execute.c       | 16 ++++++++--------
 src/core/load-fragment.c | 12 ++++++------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/src/core/execute.c b/src/core/execute.c
index 6aa0083bc..85edca17e 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -671,9 +671,9 @@ static int enforce_user(const ExecContext *context, uid_t uid) {
 
                 /* First step: If we need to keep capabilities but
                  * drop privileges we need to make sure we keep our
-                 * caps, whiel we drop privileges. */
+                 * caps, while we drop privileges. */
                 if (uid != 0) {
-                        int sb = context->secure_bits|SECURE_KEEP_CAPS;
+                        int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
 
                         if (prctl(PR_GET_SECUREBITS) != sb)
                                 if (prctl(PR_SET_SECUREBITS, sb) < 0)
@@ -1963,12 +1963,12 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
         if (c->secure_bits)
                 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
                         prefix,
-                        (c->secure_bits & SECURE_KEEP_CAPS) ? " keep-caps" : "",
-                        (c->secure_bits & SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
-                        (c->secure_bits & SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
-                        (c->secure_bits & SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
-                        (c->secure_bits & SECURE_NOROOT) ? " noroot" : "",
-                        (c->secure_bits & SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
+                        (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
+                        (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
+                        (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
+                        (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
+                        (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
+                        (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
 
         if (c->capability_bounding_set_drop) {
                 unsigned long l;
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 6d90428af..65a2a3924 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -846,17 +846,17 @@ int config_parse_exec_secure_bits(
 
         FOREACH_WORD_QUOTED(w, l, rvalue, state) {
                 if (first_word(w, "keep-caps"))
-                        c->secure_bits |= SECURE_KEEP_CAPS;
+                        c->secure_bits |= 1<<SECURE_KEEP_CAPS;
                 else if (first_word(w, "keep-caps-locked"))
-                        c->secure_bits |= SECURE_KEEP_CAPS_LOCKED;
+                        c->secure_bits |= 1<<SECURE_KEEP_CAPS_LOCKED;
                 else if (first_word(w, "no-setuid-fixup"))
-                        c->secure_bits |= SECURE_NO_SETUID_FIXUP;
+                        c->secure_bits |= 1<<SECURE_NO_SETUID_FIXUP;
                 else if (first_word(w, "no-setuid-fixup-locked"))
-                        c->secure_bits |= SECURE_NO_SETUID_FIXUP_LOCKED;
+                        c->secure_bits |= 1<<SECURE_NO_SETUID_FIXUP_LOCKED;
                 else if (first_word(w, "noroot"))
-                        c->secure_bits |= SECURE_NOROOT;
+                        c->secure_bits |= 1<<SECURE_NOROOT;
                 else if (first_word(w, "noroot-locked"))
-                        c->secure_bits |= SECURE_NOROOT_LOCKED;
+                        c->secure_bits |= 1<<SECURE_NOROOT_LOCKED;
                 else {
                         log_error("[%s:%u] Failed to parse secure bits, ignoring: %s",
                                   filename, line, rvalue);
-- 
2.30.2